Security Bulletin: Multiple vulnerabilites affect Engineering Lifecycle Management and IBM Engineering products.

Summary

There are multiple vulnerabilities that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Engineering Lifecycle Management (ELM), IBM Engineering Requirements Management DOORS Next (DOORS Next), IBM Engineering Workflow Management (EWM), IBM Engineering Lifecycle Optimization - Engineering Insights (ENI), IBM Engineering Requirements Quality Assistant On-Premises.

Vulnerability Details

CVEID:CVE-2020-5004
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192957 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-4974
**DESCRIPTION:**IBM Jazz Foundation is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192434 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2018-10237
**DESCRIPTION:**Google Guava is vulnerable to a denial of service, caused by improper eager allocation checks in the AtomicDoubleArray and CompoundOrdering class. By sending a specially-crafted data, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/142508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2015-5237
**DESCRIPTION:**Google Protocol Buffers could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in MessageLite::SerializeToString. A remote attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/105989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-23841
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in the X509_issuer_and_serial_hash() function. By parsing the issuer field, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23840
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23839
**DESCRIPTION:**OpenSSL could provide weaker than expected security, caused by incorrect SSLv2 rollback protection that allows for the inversion of the logic during a padding check. If the server is configured for SSLv2 support at compile time, configured for SSLv2 support at runtime or configured for SSLv2 ciphersuites, it will accept a connection if a version rollback attack has occurred and erroneously reject a connection if a normal SSLv2 connection attempt is made.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

For the 6.0.6 - 7.0.2 releases:

Upgrade to version 7.0.2 iFix005 or later

• IBM Engineering Lifecycle Management 7.0.2 iFix005
• IBM Engineering Requirements Management DOORS Next 7.0.2 iFix005
• IBM Engineering Test Management 7.0.2 iFix005
• IBM Engineering Workflow Management 7.0.2 iFix005
• IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.2 and install server from ELM 7.0.2 iFix005
• IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.2 and install server from ELM 7.0.2 iFix005
• IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.2 and install server from ELM 7.0.2 iFix005
• IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.2 and install server from ELM 7.0.2 iFix005

Upgrade to version 7.0.1 iFix010 or later

• IBM Engineering Lifecycle Management 7.0.1 iFix010
• IBM Engineering Requirements Management DOORS Next 7.0.1 iFix010
• IBM Engineering Test Management 7.0.1 iFix010
• IBM Engineering Workflow Management 7.0.1 iFix010
• IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix010
• IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix010
• IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix010
• IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0.1 and install server from ELM 7.0.1 iFix010

Upgrade to version 7.0 iFix010 or later

• IBM Engineering Lifecycle Management 7.0 iFix010
• IBM Engineering Requirements Management DOORS Next 7.0 iFix010
• IBM Engineering Test Management 7.0 iFix010
• IBM Engineering Workflow Management 7.0 iFix010
• IBM Engineering Lifecycle Optimization - Engineering Insights:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix010
• IBM Engineering Lifecycle Optimization - Publishing:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix010
• IBM Engineering Systems Design Rhapsody - Design Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix010
• IBM Engineering Systems Design Rhapsody - Model Manager:_ _Upgrade to version 7.0 and install server from ELM 7.0 iFix010

Upgrade to version 6.0.6.1 iFix018 or later

• Rational Collaborative Lifecycle Management 6.0.6.1 iFix018
• Rational DOORS Next Generation 6.0.6.1 iFix018
• Rational Quality Manager 6.0.6.1 iFix018
• Rational Team Concert 6.0.6.1 iFix018
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix018
• Rational Publishing Engine:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix018
• Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix018
• IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix018
• Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6.1 and install server from CLM 6.0.6.1 iFix018

Upgrade to version 6.0.6 iFix022 or later

• Rational Collaborative Lifecycle Management 6.0.6 iFix022
• Rational DOORS Next Generation 6.0.6 iFix022
• Rational Quality Manager 6.0.6 iFix022
• Rational Team Concert 6.0.6 iFix022
• Rational Engineering Lifecycle Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix022
• Rational Publishing Engine:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix022
• Rational Rhapsody Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix022
• IBM Rhapsody Model Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix022
• Rational Software Architect Design Manager:_ _Upgrade to version 6.0.6 and install server from CLM 6.0.6 iFix022

For IBM Engineering Requirements Quality Assistant On-Premises:

• Please follow the RQA Upgrade instructions.

For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

If the iFix is not found in the Fix Portal please contact IBM Support.

Workarounds and Mitigations

None